Field
Embodiments of the invention generally relate to techniques for managing digital certificates installed on a web-server. More specifically, embodiments presented herein are directed to automated approach for managing digital certificates for a single website that is associated with multiple digital certificates.
Description of the Related Art
Providing secure communication and protecting sensitive data is a well-known issue in a broad variety of contexts. For example, it is common for computer servers to use digital certificates to associate a server with a network domain. In such cases, clients use information contained in a certificate to verify the identity of a server and to establish a secure communication session with that server (e.g., an SSL or TLS session with a web server). More generally, digital certificates and public key infrastructure (PKI) techniques are used to create, distribute, and manage cryptographic keys used in a variety of contexts.
Administrators sometimes configure a single web server with multiple digital certificates. For example, one web server may host multiple domains and a different SSL certificate may be configured for each domain. Similarly, a web server may be configured with multiple certificates for a common internet protocol (IP) address and port combination. Doing so allows clients with different capabilities to establish a secure session with the server. That is, clients that connect to the server may request varying types of SSL certificates to establish a secure connection, based on the capabilities of a given client. For example, the certificates may be for different encryption key generation algorithms (e.g., RSA or DSA keys) or for different key sizes or ciphering algorithms. Typically, configuration files on the web server specify what certificates are available to use in establishing secure sessions with clients along with the location of such certificates.
Managing multiple certificates on a server can be a challenge. Some tools are available to automate the discovery, installation, and renewal of certificates configured on a web server. For example, existing solutions typically initiate an SSL handshake with the server in an attempt to identify a certificate configured on that server (which is presented by the server as part of the SSL handshake operation). However, this approach does not address a server configured with multiple SSL certificates for the same website. Instead, it results in one (of possibly) many certificates being discovered by a certificate management tool. Other approaches require an administrator to manually input a path to each certificate files to obtain a copy of the associated digital certificates.